Abstract
Fraudulent e-mails, known as phishing attacks, have brought chaos across the digital world causing billions of dollars of damage. These attacks are known for their ability to exploit the human aspect of a computer system by pretending to originate from a source trusted by the victim. While technology defenses have been setup for protection, people are still succumbing to these attacks at alarming rates. Therefore, educational techniques must implement to strengthen the human factor of security. We propose the use of a phishing IQ test that when used in classroom setting can help users build experience needed to identify phishing e-mail during their daily routine.
TopIntroduction
Phishing is generally described as sending computer users messages claiming to originate from a legitimate entity and attempting to lead the user to provide private information that will be further used for identity theft (“Phishing,” 2006). While the nature of the message (and the purported originating entity) varies from with each individual attack, one can notice that the entities continue to diversify and that the sole number of such attacks is staggering. A brief review of phishing related news for the first seven days of November 2006 in chronological order is shown in Figure 1. Such bleak reality is shared by professional reports that suggest that the number of reported phishing attempts has almost doubled between August 2005 and August 2006 (“Phishing Activity Trends Report - September 2006,” 2006).
Figure 1. Survey of phishing related news for the first week of November 2006
Faced with an increasing threat, software companies, federal agencies, financial and commercial institutions and internet service providers have increased their antiphishing efforts. Statistics are now being compiled monthly monitoring the threat level, and repositories of phishing events have been created (and are publicly available). As the variety of phishing techniques increase, more defense tools/methods are developed. In recent versions of the internet browsers, ‘anti-phishing’ filters are provided (an application component that checks the website against a list of known phishing sites) (Microsoft, 2006). Log-in procedures have been revamped by requiring multi-step authentication and changing challenge-response pairs (Schechter, Dhamija, Ozment, & Fischer, 2007). Despite all this effort from the IT world, people continue to fall victim to phishing tactics. It is therefore necessary to improve upon previous methods of education to help protect an increasingly vulnerable population. Thus, we present an educational method that can be used to help teach users how to protect themselves from phishing associated identity theft. To better understand how to identify a phishing attack, people need to learn how and why phishing works. Hence, it is imperative to show the reasons phishing is so successful as well as why it has become one of the top cyber threats of the new millennium. With this knowledge people should be able to see their own mistakes in phishing identification and be able to reduce the problem.
In the following, we start by providing a survey of the ‘state of the art’ in phishing. Next, we describe the current phishing education strategies we developed and implemented. The educational method includes phishing detection tests, as well as an education session that starts by defining the threat and builds that knowledge into means for phish identification. The education module has been already administered to approximately 120 undergraduate students at Montclair State University. Survey results indicate an increased awareness of the issue and an increased ability to detect phishing attempts.
Key Terms in this Chapter
Identity theft: The act of stealing personal information and user credentials, with the intent of using the information for fraudulent purposes.
Context-Aware Phishing IQ Text: The combination of context information of a target audience and a phishing IQ text that is custom built as a way to optimize the education experience of the end-users.
Phishing Botnet: A collection of compromised computers that run with the intent of conducting phishing attacks.
Page Load Attack: A toolbar exploit that delays a webpage from fully loading in the web browser as a way of preventing the browser from determining the webpage’s authenticity.
Context-Aware Phishing Attack: A phishing attack that built from information gathered in advance about the target used to harvest additional information needed for identity theft.
Phishing: The use of social engineering in e-mails for the purpose of deceiving the recipient into either compromising sensitive information or following a set of instructions that leads to a security breach.
Content Distribution Network Attacks: A toolbar exploit that appends a blacklisted phishing address to a white listed webpage in an effort to circumvent the toolbar.